VPN Tunnel between Cisco 877 ADSL Modem and Watchguard Firebox X1000 not passing traffic one way

I have a VPN Tunnel setup with a Firebox X1000 at my main site, and a Cisco 877 at my remote site. When traffic is initiated from the cisco side the tunnel comes up fine and traffic can pass both ways with no issue. When the cisco side is idle for a given amount of time the tunnel goes down and the firebox will not initiate it even if I try to access the 877 segment. The packets never make it past the firebox. But when the cisco side pings, the packets make it to the firebox and back.

Here is the log from my firebox...

04/06/06 10:54  iked[157]:  FROM  71.***.**.*** MM-HDR   ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR   ISA_SA ISA_VENDORID
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** MM-HDR   ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID NAT-D NAT-D
04/06/06 10:54  iked[157]:  Rejecting peer XAUTH request: not configured
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR   ISA_KE ISA_NONCE NAT-D NAT-D
04/06/06 10:54  iked[157]:  CRYPTO ACTIVE after delay
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** MM-HDR*  ISA_ID ISA_HASH ISA_NOTIFY
04/06/06 10:54  iked[157]:  Received INITIAL_CONTACT message, mess_id=0x00000000
04/06/06 10:54  iked[157]:  TO    71.***.**.*** MM-HDR*  ISA_ID ISA_HASH
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
04/06/06 10:54  iked[157]:  Phase 1 completed as responder
04/06/06 10:54  iked[157]:  Deleting old phase 1 SA for 71.***.**.***
04/06/06 10:54  iked[157]:  Deleting SA: peer        71.***.**.***
04/06/06 10:54  iked[157]:               my_cookie   9E**************
04/06/06 10:54  iked[157]:               peer_cookie 00**************
04/06/06 10:54  iked[157]:  ipsec_cancel_acquire: Called as Initiator
04/06/06 10:54  iked[157]:  Cancelled acquire for channel (9)
04/06/06 10:54  iked[157]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=68.***.**.**, raddr=71.***.**.***
04/06/06 10:54  iked[157]:  TO    71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
04/06/06 10:54  iked[157]:  FROM  71.***.**.*** QM-HDR* -917E8CE1 ISA_HASH
04/06/06 10:54  iked[157]:  Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_SHA1 Life=3600sec/4608000KB SPI=32BAB33C
04/06/06 10:54  iked[157]:  Load inbound  ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_SHA1 Life=3600sec/4608000KB SPI=0F04D62D
04/06/06 10:54  iked[157]:  Tunnel created for 192.168.1.0/24 <-> 192.168.2.0/24
04/06/06 10:54  iked[157]:  Committing SAs for channel=9 established with QM message_id=917E8CE1
04/06/06 10:54  kernel:  ipsec: make bundle for channel 9, 1 in SA's, 1 out SA's
04/06/06 10:54  kernel:  ipsec: Removing old input bundle

Any one have any ideas as to why? I have a ticket open with cisco but they are saying it is my firebox. I do not carry a service contract with watchguard because I am trying to get all of my equipment over to cisco.


Also... Tracert stops at my firebox and goes no further. That is when the firebox tries to initiate the tunnel with the cisco 877.
Also.... None of the pcs on the cisco 877 side can access the internet? I am not sure if this has anything to do with the resolve.
_SKIN_Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FrabbleCommented:
That log seems to show a tunnel being set up and not showing the problem.

One thing that could do as you describe is if Perfect Forward Secrecy (PFS) is enabled on the Firebox and not on the Cisco. Check your IPSEC/Phase 2 configurations on each - they must match!

Your internet access problem with the 877 could possibly be an access-list/NAT mis-configuration. I suggest you raise another question for this with a "safe" (public IP addresses and passwords masked) copy of the configuration.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
_SKIN_Author Commented:
I figured it out... The diffie helmen group was set to group 1 on the firebox and the diffie helmen group was set to 2 on the cisco box. I do not know any thing about diffie helmen groups but when I changed the firebox to group 2 it worked fine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.